google-cloud-platformgsutilgoogle-cloud-iamgoogle-cloud-pythongcloud-python

gsutil iam ch command using python


I am trying to use python to do the same functionality as this command:

gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name

I am trying to give an objectAdmin role to a group using python. The above command works well in cloud powershell, but could not do it in python yet

I have tried to do this by replacing the "members": {member} with "groups": {group_name} in this add_bucket_iam_member function here:

def add_bucket_iam_member(bucket_name, role, member):
"""Add a new member to an IAM Policy"""
   # bucket_name = "your-bucket-name"
   # role = "IAM role, e.g., roles/storage.objectViewer"
   # member = "IAM identity, e.g., user: name@example.com"

   storage_client = storage.Client()
   bucket = storage_client.bucket(bucket_name)

   policy = bucket.get_iam_policy(requested_policy_version=3)

   #policy.bindings.append({"role": role, "members": {member}})
   policy.bindings.append({"role": role, "groups": {group_name}})

   bucket.set_iam_policy(policy)

   print("Added {} with role {} to {}.".format(member, role, bucket_name))

It doesn't give an error but did not work either, after finishing it, and after getting policy dict again, it removes the group permission that I have sat. (meanwhile, it works fine with members)

I have also tried:

os.system("gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name")

and

subprocess.run("gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name", shell=True) but did not work yet too.

Any help?


Solution

  • OK, your policy.bindings.append is incorrect.

    You want what you originally had:

    role = "roles/storage.objectViewer"
    
    group = "some@googlegroups.com"
    
    member = f"group:{group}"
    
    policy.bindings.append({
      "role": role,
      "members": {
        member,
      }
    })
    

    Full example:

    from os import getenv
    from google.cloud import storage
    
    bucket_name = getenv("BUCKET")
    group = getenv("GROUP")
    role = "roles/storage.objectViewer"
    
    member = f"group:{group}"
    
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)
    
    policy = bucket.get_iam_policy(requested_policy_version=3)
    
    
    policy.bindings.append({
        "role": role, 
        "members": {
            member,
        }
    })
    bucket.set_iam_policy(policy)
    
    print("Added {} with role {} to {}.".format(member, role, bucket_name))
    

    And:

    PROJECT="[[YOUR-PROJECT]]"
    ACCOUNT="[[YOUR-SERVICE-ACCOUNT]]"
    BUCKET="[[YOUR-BUCKET]]"
    GROUP="[[YOUR-GROUP-EMAIL]]"
    
    gcloud projects create ${PROJECT}
    
    gcloud iam service-accounts create ${ACCOUNT} \
    --project=${PROJECT}
    
    EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"
    
    gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
    --iam-account=${EMAIL} \
    --project=${PROJECT}
    
    gcloud projects add-iam-policy-binding ${PROJECT} \
    --member=serviceAccount:${EMAIL} \
    --role=roles/storage.admin
    
    export GOOGLE_APPLICATION_CREDENTIALS=${PWD}/${ACCOUNT}.json
    export GROUP
    export BUCKET
    
    python3 -m venv venv
    source venv/bin/activate
    python3 -m pip install google-cloud-storage
    python3 main.py
    

    Yields:

    Added group:${GROUP} with role roles/storage.objectViewer to ${BUCKET}.
    

    And:

    FILTER=".bindings[]|select(.members|index(\"group:${GROUP}\")).role"
    
    gsutil iam get gs://${BUCKET} \
    | jq -r "${FILTER}"
    

    Yields:

    roles/storage.objectViewer